Mac EFI Password Brute Force

[PsuFan]

I have to start this off by saying, I am not using this to steal computers. A friend has had this laptop for two years, which he bought from Craig's list. He upgraded to Mavericks and suddenly got iCloud locked. Trust me, that story is too lame to make up. So.. has anyone written a EFI password tool for the duck? I seem to be hitting some kind of virus protection? First it didnt work at all without changing the VIDPID. Now only a few keystrokes make it, I've even tried Rand_Delay.hex (which didnt work because it must be v1) and my own inject.bin with random delays. I even have have more than one second inbetween keystrokes... still nothing. Has anyone had this problem or know what I'm dealing with? I know people are doing this, they are seling the service on ebay. I do not know if they are using ducks, some seem more intelligent.

Thanks

[overwraith]

If I were you I would pick the VID/PID based on something that the system would normally have plugged in. The more generic, the better. I think there was a list on ducky decode or something that had all the devices and vid/pid numbers mapped out. Also, I do not remember what all the random delay firmware had programmed into it, but make sure it actually can alter it's vid/pid. It has been a while since I coded the random delay firmware. I do not know how they are detecting the ducky, usually it is the vid/pid, and I theorized earlier that the uniformity of keystroke injection might be what other software uses to detect the ducky. I don't know much about this MAC bios stuff, can you remove the bios battery, and thereby wipe it's memory? Midnightsnake might know more about AV firmware detection.

[no42]

The Duck:

The delay is advised to be around 3000 msecs for the OS to recognise and install drivers (Window 7 & 8), Windows XP is slightly faster. Cant remember the speed of Linux and OSX but this number can be tweaked. Using a familiar VID PID speeds this up even more, as some drivers might be preloaded.

Doubt AV is messing about here, as you are at the EFI. AV evasion/Device Control Evasion is by altering the VID & PID. Also you can try altering the Serial Number and Device strings in the main firmware.

OSX:

As for iCloud lock (according to Apple & Genius Team) that engages when a laptop/phone has been reported as stolen.

Best to turn in the device to the police. (Maybe the owner will let you keep it, and remove the lock?)

[PsuFan]

I do wait 5 seconds before sending strokes. I have changed my VIDPID to a Dell Multimedia keyboard (I was going to do an apple one, but thought it might know the difference). I could not use the rand delay firmware, it doesnt look like it changes the VIDPID. I do not know who the owner is, there is no contact information.

How do I change the serial number and device strings?

Edit: It definitely seems to know its a duck, I plugged in a junk usb keyboard and it types fine with multiple keystrokes per second. Seems like the best thing to try is serial and device stealth, because it seems to definitely deny me based off of VID/PID. Also the duck works fine at the iCloud lock screen, but the timeout makes it impossible to brute force. 5 passwords, 1 minute lock, 1 password, 5 minute lock, 1 password 15 minute lock lol. Yes you can reboot, but I dont think you can get to the reboot from the keyboard.

Thanks!

Edited November 21, 2013 by PsuFan